Status
()
People
(Reporter: nils, Assigned: longsonr)
Tracking
({sec-critical})
Bug Flags:
Firefox Tracking Flags
(firefox36 wontfix, firefox37+ fixed, firefox38+ fixed, firefox39+ fixed, firefox-esr31 unaffected, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 disabled, b2g-v2.1S disabled, b2g-v2.2 disabled, b2g-master fixed)
Details
(Whiteboard: [adv-main37+])
Attachments
(2 attachments)
Created attachment 8566442 [details]
testcase
When binding a <source> element to a tree the functions checks for any siblings of the type <img>. It fails to validate the namespace and only checks for the tag name:
if (aParent && aParent->IsNodeOfType(nsINode::eMEDIA)) {
HTMLMediaElement* media = static_cast<HTMLMediaElement*>(aParent);
media->NotifyAddedSource();
} else if (aParent && aParent->Tag() == nsGkAtoms::picture) {
// Find any img siblings after this <source> and notify them
nsCOMPtr<nsINode> sibling = AsContent();
while ( (sibling = sibling->GetNextSibling()) ) {
if (sibling->Tag() == nsGkAtoms::img) {
HTMLImageElement *img = static_cast<HTMLImageElement*>(sibling.get());
img->PictureSourceAdded(AsContent());
}
}
}
This can result in a type confusion. See attached testcase which demonstrates the issue. ASan detects this issue as a use-after-free (output attached). This vulnerability can also be triggered on the stable release version of Firefox without <picture> being enabled as the check in the code only validates the tag name. The testcase on crashes on Windows accessing on mapped memory during garbage collection.
Created attachment 8566443 [details]
asan.txt
(Assignee) | ||
Updated•4 years ago
|
Assignee: nobody → longsonr
Updated•4 years ago
|
Flags: sec-bounty?
Updated•4 years ago
|
Keywords: sec-critical
Updated•4 years ago
|
status-firefox36: --- → wontfix
status-firefox37: --- → affected
status-firefox38: --- → affected
status-firefox39: --- → affected
status-firefox-esr31: --- → unaffected
tracking-firefox37: --- → +
tracking-firefox38: --- → +
tracking-firefox39: --- → +
Updated•4 years ago
|
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Updated•4 years ago
|
status-firefox39: affected → fixed
Updated•4 years ago
|
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → disabled
status-b2g-v2.1S: --- → disabled
status-b2g-v2.2: --- → disabled
status-b2g-master: --- → fixed
status-firefox37: affected → fixed
status-firefox38: affected → fixed
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•4 years ago
|
Whiteboard: [adv-main37+]
Updated•4 years ago
|
Alias: CVE-2015-0804
Updated•4 years ago
|
Group: core-security → core-security-release
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•